Commit 7a2220a7 authored by Chen-Ying Kuo's avatar Chen-Ying Kuo

New upstream version 1.9.0

parents
sign-checksec.sh
\ No newline at end of file
Rev-2018012401 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 1.9.0
* checksec.sh: made all kernel checks dependant on kernel version
* checksec.sh: moved man page to section 1
* checksec.sh: fixed debug flag
* checksec.sh: resolved issue with -d
* checksec.sh: fixed stack protector on 4.18+ kernels
Thanks cheese
* checksec.sh: fixed runpath name in output
Thanks philipturnbull
* checksec.sh: updated readme for offline testing
Thanks matthew-l-weber
Rev-2018012401 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to 1.8.0
* checksec.sh: resolved issue with eu-readelf debug
* checksec.sh: shellcheck cleanup
Rev-2017080801 Brian Davis <slimm609@gmail.com>
* checksec.sh: Cleaned up if statements for proper bash expressions
Rev-2016102701 Brian Davis <slimm609@gmail.com>
* checksec.sh: updated to 1.7.5
* checksec.sh: added OSX support
Thanks Ben Actis
* checksec.sh: added space and underscore support
Thanks brianmwaters
* checksec.sh: cleaned up code formatting
Rev-2016022002 Brian Davis <slimm609@gmail.com>
* checksec.sh: updated to 1.7.4
* checksec.sh: fixed man page
* checksec.sh: added pkg_release option to disable updates for packaged releases
* checksec.sh: cleanup up proc-libs
Rev-2016021501 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in zsh completion
Thanks Vaeth
* checksec.sh: added man page for checksec
* checksec.sh: updated readme to reflect output in place of format option
Rev-2016021501 Brian Davis <slimm609@gmail.com>
* checksec.sh: updated to 1.7.3
* checksec.sh: added xml and json validation tests
* checksec.sh: fixed xml and json errors from validation tests
* checksec.sh: expanded grsecurity checks and cleaned up formatting
Rev-2016010502 Brian Davis <slimm609@gmail.com>
* checksec.sh: Added some extra debug output and started cleanup.
Rev-2016010501 Brian Davis <slimm609@gmail.com>
* checksec.sh: Fixed sysctl path issue #20
Thanks hartwork
Rev-2015122201 Brian Davis <slimm609@gmail.com>
* checksec.sh: Merged in json fixes.
Thanks jpouellet
Rev-2015122101 Brian Davis <slimm609@gmail.com>
* checksec.sh: Merged in passing in command line kernel config, x86 fix and optional tools.
Thanks philippedeswert
* checksec.sh: split off mandatory tool from optional tools.
* checksec.sh: Updated to 1.7.1
* checksec.sh: Added Seccomp tests from olivierlemoal.
Rev-2015102001 Brian Davis <slimm609@gmail.com>
* checksec.sh: Set static LC_ALL to resolve LANG errors. Resolves Ticket #13
* checksec.sh: Merged in additional kernel options and arch specfic options. Ticket #14
Thanks philippedeswert
* checksec.sh: Updated to 1.7.0 to support revision releases.
* checksec.sh: put in checks to not display checks that are for different architectures.
Rev-2015091505 Brian Davis <slimm609@gmail.com>
* checksec.sh: added additional debug output for troubleshooting purposes
Rev-2015091401 Brian Davis <slimm609@gmail.com>
* checksec.sh: added debug option for troubleshooting purposes
Rev-2015091301 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in changes for fedora/epel compilance
Thanks Besser82
* checksec.sh: updated check binaries on run
Thanks Roberto Martelloni
Rev-2015060201 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in fortified/fortify-able stats on --file output changed
Thanks Roberto Martelloni
Rev-2015011201 Brian Davis <slimm609@gmail.com>
* checksec.sh: moved checksec.sh to checksec
Rev-2014021802 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in RODATA and STRICT_USER_COPY changes
Thanks N8Fear
Rev-2014021801 Brian Davis <slimm609@gmail.com>
* checksec.sh: merged in JIT and MODHARDEN changes
Thanks N8Fear
Rev-2014021605 Brian Davis <slimm609@gmail.com>
* checksec.sh: Changed --update to verify signature of updates.
* checksec.sig: file added
Rev-2014021601 Brian Davis <slimm609@gmail.com>
* checksec.sh: Removed deprecated Kern Heap section
Thanks Unspawn
2014-02-14 Brian Davis <slimm609@gmail.com>
* checksec.sh: Updated to version 1.6
* checksec.sh: Implemented rev numbers and --update option
* checksec.sh: Added SELinux checks as additional checks for kernel security.
* checksec.sh: Added update option to pull the latest release
* checksec.sh: Added foritfy_source to proc-all output.
* checksec.sh: Added Json, strict XML and updated Grsecurity section.
* checksec.sh: Carried over Robin David's changes with XML and CSV.
2013-10-06 Robin David <dev.robin.david@gmail.com>
* add machine-readable outputs like CSV and XML
2011-11-17 Tobias Klein <tk@trapkit.de>
* 1.5
* New checks for rpath and runpath elements in the dynamic sections.
Thanks to Ollie Whitehouse.
* Other bugfixes and improvements
- checksec.sh now takes account of the KBUILD_OUTPUT
environment variable when checking the Linux kernel
protection mechanisms (--kernel).
Thanks to Martin Vaeth for the hint.
- Some minor changes and clean-ups. Thanks to Brian Davis.
- Ubuntu 11.10 support for --fortify-file and --fortify-proc.
2011-01-14 Tobias Klein <tk@trapkit.de>
* 1.4
* Support for FORTIFY_SOURCE (--fortify-file, --fortify-proc)
* Lots of other bugfixes and improvements
- Check if the readelf command is available
- readelf support for 64-bit ELF files
- Check if the requested files and directories do exist
- '--dir' is now case-sensitive and correctly deals with
trailing slashes
- Check user permissions
- Etc.
2010-06-15 Tobias Klein <tk@trapkit.de>
* 1.3.1
* New BSD License
(http://www.opensource.org/licenses/bsd-license.php)
2010-05-04 Tobias Klein <tk@trapkit.de>
* 1.3
* Additional checks for a number of Linux kernel
protection mechanisms.
Thanks to Jon Oberheide (jon.oberheide.org).
2010-01-02 Tobias Klein <tk@trapkit.de>
* 1.2
* Additional PaX (http://pax.grsecurity.net/) checks.
Thanks to Brad Spengler (grsecurity.net) for the PaX
support.
* Some minor fixes (coloring adjusted, 'pidof' replacement)
2009-12-27 Tobias Klein <tk@trapkit.de>
* 1.1
* New '--proc-libs' option. This option instructs
checksec.sh to test the loaded libraries of a process.
* Additional information on ASLR results (--proc,
-proc-all, --proc-libs)
Thanks to Anthony G. Basile of the Tin Hat project
for the hint.
* Additional CPU NX check (--proc, --proc-all, --proc-libs)
2009-01-28 Tobias Klein <tk@trapkit.de>
* 1.0
* Initial release
FROM ubuntu:bionic
# Install dependencies
RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y -q install \
bc bison flex build-essential ccache git \
libncurses-dev libssl-dev u-boot-tools wget \
xz-utils vim xfce4 \
&& apt-get clean
COPY . /root
WORKDIR /root
Copyright (c) 2014-2015, Brian Davis
Copyright (c) 2013, Robin David
Copyright (c) 2009-2011, Tobias Klein
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of Tobias Klein nor the name of trapkit.de may be
used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
checksec
========
Checksec is a bash script to check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source).
It has been originally written by Tobias Klein and the original source is available here: http://www.trapkit.de/tools/checksec.html
Updates
-------
Last Update: 2018-10-14
For OSX
-------
Install the binutils via brew `brew install binutils`
Examples
--------
**normal (or --format cli)**
$checksec.sh --file /bin/ls
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /bin/ls
**csv**
$ checksec.sh --output csv --file /bin/ls
Partial RELRO,Canary found,NX enabled,No PIE,No RPATH,No RUNPATH,/bin/ls
**xml**
$ checksec.sh --output xml --file /bin/ls
<?xml version="1.0" encoding="UTF-8"?>
<file relro="partial" canary="yes" nx="yes" pie="no" rpath="no" runpath="no" filename='/bin/ls'/>
**json**
$ checksec.sh --output json --file /bin/ls
{ "file": { "relro":"partial","canary":"yes","nx":"yes","pie":"no","rpath":"no","runpath":"no","filename":"/bin/ls" } }
**Fortify test in cli**
$ checksec.sh --fortify-proc 1
* Process name (PID) : init (1)
* FORTIFY_SOURCE support available (libc) : Yes
* Binary compiled with FORTIFY_SOURCE support: Yes
------ EXECUTABLE-FILE ------- . -------- LIBC --------
FORTIFY-able library functions | Checked function names
-------------------------------------------------------
fdelt_chk | __fdelt_chk
read | __read_chk
syslog_chk | __syslog_chk
fprintf_chk | __fprintf_chk
vsnprintf_chk | __vsnprintf_chk
fgets | __fgets_chk
strncpy | __strncpy_chk
snprintf_chk | __snprintf_chk
memset | __memset_chk
strncat_chk | __strncat_chk
memcpy | __memcpy_chk
fread | __fread_chk
sprintf_chk | __sprintf_chk
SUMMARY:
* Number of checked functions in libc : 78
* Total number of library functions in the executable: 116
* Number of FORTIFY-able functions in the executable : 13
* Number of checked functions in the executable : 7
* Number of unchecked functions in the executable : 6
**Kernel test in Cli**
$ checksec.sh --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config: /proc/config.gz
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Disabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled
* grsecurity / PaX: Auto GRKERNSEC
Non-executable kernel pages: Enabled
Non-executable pages: Enabled
Paging Based Non-executable pages: Enabled
Restrict MPROTECT: Enabled
Address Space Layout Randomization: Enabled
Randomize Kernel Stack: Enabled
Randomize User Stack: Enabled
Randomize MMAP Stack: Enabled
Sanitize freed memory: Enabled
Sanitize Kernel Stack: Enabled
Prevent userspace pointer deref: Enabled
Prevent kobject refcount overflow: Enabled
Bounds check heap object copies: Enabled
JIT Hardening: Enabled
Thread Stack Random Gaps: Enabled
Disable writing to kmem/mem/port: Enabled
Disable privileged I/O: Enabled
Harden module auto-loading: Enabled
Chroot Protection: Enabled
Deter ptrace process snooping: Enabled
Larger Entropy Pools: Enabled
TCP/UDP Blackhole: Enabled
Deter Exploit Bruteforcing: Enabled
Hide kernel symbols: Enabled
* Kernel Heap Hardening: No KERNHEAP
The KERNHEAP hardening patchset is available here:
https://www.subreption.com/kernheap/
**Kernel Test in XML**
$ checksec.sh --output xml --kernel
<?xml version="1.0" encoding="UTF-8"?>
<kernel config='/boot/config-3.11-2-amd64' gcc_stack_protector='yes' strict_user_copy_check='no' ro_kernel_data='yes' restrict_dev_mem_access='yes' restrict_dev_kmem_access='no'>
<grsecurity config='no' />
<kernheap config='no' />
</kernel>
**Kernel Test in Json**
$ checksec.sh --output json --kernel
{ "kernel": { "KernelConfig":"/boot/config-3.11-2-amd64","gcc_stack_protector":"yes","strict_user_copy_check":"no","ro_kernel_data":"yes","restrict_dev_mem_access":"yes","restrict_dev_kmem_access":"no" },{ "grsecurity_config":"no" },{ "kernheap_config":"no" } }
Using with Cross-compiled Systems
---------------------------------------
The checksec tool can be used against cross-compiled target file-systems offline. Key limitations to note:
* Kernel tests - require you to execute the script on the running system you'd like to check as they directly access kernel resources to identify system configuration/state. You can specify the config file for the kernel after the -k option.
* File check - the offline testing works for all the checks but the Fortify feature. Fortify, uses the running system's libraries vs those in the offline file-system. There are ways to workaround this (chroot) but at the moment, the ideal configuration would have this script executing on the running system when checking the files.
The checksec tool's normal use case is for runtime checking of the systems configruation. If the system is an embedded target, the native binutils tools like readelf may not be present. This would restrict which parts of the script will work.
Even with those limitations, the amount of valuable information this script provides, still makes it a valuable tool for checking offline file-systems.
Warning
-------
Due to the original structure of the script the **--output** argument should be placed first on the command line arguments. Doing differently would require really big changes in the code.
This diff is collapsed.
File added
#!/usr/bin/env bash
# keep checksec executable and checksec_automation file in same directory.
#sudo find $1 -type f -executable -exec file -i '{}' \; | grep 'x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
#tree -fi $1 > linux_executables.txt
help() {
echo "Usage: ./checksec_automation.sh [<dir_to_scan>] [<output_file_name>]"
}
#run help if nothing is passed
if [[ "$#" -lt 1 ]]; then
help
exit 1
fi
find "$1" -type f -executable -exec file -i '{}' \; | grep -e 'application/x-sharedlib; charset=binary' -e 'application/x-executable; charset=binary' | cut -c1- | cut -d ':' -f1 > linux_executables.txt
echo "Checksec Output" | tee "$2"
for i in $(cat linux_executables.txt)
do
./checksec &> /dev/null
if [ "$?" -eq 127 ]; then
echo "File not Found. Keep checksec in same directory and run the script again."
exit 1
else
./checksec -f "$i" | tee -a "$2"
fi
done
\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH CHECKSEC 1 "FEBURARY 2016" Linux "User Manuals"
.SH NAME
checksec \- check executables and kernel properties
.SH SYNOPSIS
.B checksec [options] [file]
.SH DESCRIPTION
.B checksec
is a bash script used to check the properties of executables
(like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source) and kernel security
options (like GRSecurity and SELinux).
.SH OPTIONS
.TP
\fB\-o\fP or \fB\--output\fP or \fB\--format\fP \fB{cli|csv|xml|json}\fP
Output the results in different formats for ingestion to other applications.
NOTE: This option must go before any other options currently
.TP
\fB\-h\fP or \fB\--help\fP
Displays the help text
.TP
\fB\-f\fP or \fB\--file\fP
Checks individual files for security features compiled into the executable
.TP
\fB\-d\fP or \fB\--dir\fP
Recursively checks all executable files in the directory for security features compiled into the executables
.TP
\fB\-p\fP or \fB\--proc\fP
Checks the security features of a running process by name
.TP
\fB\-pa\fP or \fB\--proc-all\fP
Checks the security features of all running processes
.TP
\fB\-pl\fP or \fB\--proc-libs\fP
Checks the security features of the all libraries of a running process ID
.TP
\fB\-k\fP or \fB\--kernel\fP
Checks the security features of the running kernel or a specified kernel config
.TP
\fB\-ff\fP or \fB\--fortify-file\fP
Checks the fortifiability of a file and if any of the fortifiable features have already been compiled into the file
.TP
\fB\-fp\fP or \fB\--fortify-proc\fP
Checks the fortifiability of a running process and if any of the fortifiable features have already been compiled in
.TP
\fB\--version\fP
Shows the current version of the running software
.TP
\fB\-u\fP or \fB\--update\fP or \fB\--upgrade\fP
Checks source for a signed update and updates the application if available
.SH DIAGNOSTICS
The following diagnostics may be issued on stderr:
Permission Denied.
.RS
For most of the checks you must be root..
.RE
Debugging
.RS
\fB\--debug\fP option can be specified for debug level output
.SH AUTHORS
Brian Davis <slimm609 at gmail dot com>
.RE
Checksec was originally written by Tobias Klein
Summary: Tool to check system for binary-hardening
Name: checksec
Version: 1.7.4
Release: 1
License: BSD
Group: Development/Tools
Source0: https://raw.githubusercontent.com/slimm609/checksec.sh/master/%{name}
Source1: https://raw.githubusercontent.com/slimm609/checksec.sh/master/ChangeLog
URL: https://github.com/slimm609/checksec.sh
Requires: binutils
BuildArch: noarch
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%description
Modern Linux distributions offer some mitigation techniques to make it
harder to exploit software vulnerabilities reliably. Mitigations such
as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout
Randomization (ASLR) and Position Independent Executables (PIE) have
made reliably exploiting any vulnerabilities that do exist far more
challenging.
The checksec script is designed to test what *standard* Linux OS and
PaX <http://pax.grsecurity.net/> security features are being used.
As of version 1.3 the script also lists the status of various Linux
kernel protection mechanisms.
checksec can check binary-files and running processes for hardening
features.
%prep
cp -p %{SOURCE1} ChangeLog
%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT%{_bindir}
install -p %{SOURCE0} $RPM_BUILD_ROOT%{_bindir}/%{name}
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(644,root,root,755)
%doc ChangeLog
%attr(755,root,root) %{_bindir}/%{name}
A completion file for zsh was added which can just be put into a directory of zsh's $fpath
(e.g. on gentoo into /usr/share/zsh/site-functions/)
#compdef checksec
local curcontext="$curcontext" state state_descr line
typeset -A opt_args
_arguments -C : \
'--version[print version]' \
{'(--help)-h','(-h)--help'}'[print help]' \
'--debug[debug mode]' \
{'(--update)--upgrade','(--upgrade)--update'}'[update program]' \
{'(--format --output)-o','(-o --output)--format','(-o --format)--output'}'[use specified output format]:output format:->format' \
{'(--dir)-d','(-d)--dir'}'[\[-v\] check specified DIR]:vdir:->vdir' \
{'(--file)-f','(-f)--file'}'[check specified FILE]:file to check:_files' \
{'(--proc)-p','(-p)--proc'}'[check specified process NAME)]:process name:->procname' \
{'(--proc-all)-pa','(-pa)--proc-all'}'[check all processes]' \
{'(--proc-libs)-pl','(-pl)--proc-libs'}'[check specified ID'\''s process libs)]:process ID to check: _pids' \
{'(--kernel)-k','(-k)--kernel'}'[check kernel]' \
{'(--fortify-file)-ff','(-ff)--fortify-file'}'[check specified FILE for fortify)]:file for fortify:_files' \
{'(--fortify-proc)-fp','(-fp)--fortify-proc'}'[check specified ID'\''s process for fortify)]:process ID for fortify: _pids'
local ret=$?
case $state in
format)
local formats
formats=(
'cli:use cli output format'
'csv:use csv output format'
'xml:use xml output format'
'json:use json output format'
)
_describe -t formats 'output format' formats
ret=$?;;
procname)
compadd "$expl[@]" ${${${${(f)"$(_call_program processes-names ps ${${EUID/(#s)0(#e)/xa}//[0-9]#/}ho command 2> /dev/null)"//[][\(\)]/}:#(ps|COMMAND|-*)}%%\ *}:t}
ret=$?;;
vdir)
compadd "$expl[@]" -v
_files -/
ret=0;;
esac
return ret
FROM ubuntu:bionic
# Install dependencies
RUN apt-get update \
&& apt-get -y -q upgrade \
&& apt-get -y -q install \
bc bison flex build-essential \
ccache git libncurses-dev libssl-dev \
u-boot-tools wget xz-utils \
&& apt-get clean
COPY build_kernel_configs.sh /root
\ No newline at end of file
#!/bin/bash
# Build all yes kernel config for testing different versions
build_config () {
cd /root
if [[ ! -s /root/configs/config-$1.$2.1 ]]; then
wget https://mirrors.edge.kernel.org/pub/linux/kernel/v$1.x/linux-$1.$2.1.tar.xz
tar Jxvf linux-$1.$2.1.tar.xz
cd linux-$1.$2.1
make allyesconfig
cp .config /root/configs/config-$1.$2.1
cd /root
rm -rf linux-$1.$2.1.tar.xz linux-$1.$2.1
fi
}
#build configs for 3.x up to 3.18
for i in {1..18}; do
build_config 3 $i
done
#build configs for 4.x up to 4.18
for i in {1..18}; do
build_config 4 $i
done
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
version: '2.1'
services:
config_builder:
build:
context: ./
dockerfile: Dockerfile
image: checksec/config_builder
volumes:
- "./configs:/root/configs"
command: ["/root/build_kernel_configs.sh"]
\ No newline at end of file
#!/bin/bash
if [ -f /bin/bash ]; then
test_file="/bin/bash"
elif [ -f /bin/sh ]; then
test_file="/bin/sh"
elif [ -f /bin/ls ]; then
test_file="/bin/ls"
else
echo "could not find valid file to test"
exit 255
fi
#check json for proc-all
echo "starting proc-all check - json"
../checksec --format json --proc-all > output.json
jsonlint --allow duplicate-keys output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "proc-all json validation failed"
exit $RET
fi
#check json for kernel
echo "starting kernel check - json"
../checksec --format json --kernel > output.json
jsonlint output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "kernel json validation failed"
exit $RET
fi
#check json against custom kernel config to trigger all checks
echo "starting custom kernel check - json"
../checksec --format json --kernel kernel.config > output.json
jsonlint output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "custom kernel json validation failed"
exit $RET
fi
#check json for file
echo "starting file check - json"
../checksec --format json --file $test_file > output.json
jsonlint output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "file json validation failed"
exit $RET
fi
#check json for fortify file
echo "starting fortify-file check - json"
../checksec --format json --fortify-file $test_file > output.json
jsonlint output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "fortify-file json validation failed"
exit $RET
fi
#check json for dir
echo "starting dir check - json"
../checksec --format json --dir /sbin > output.json
jsonlint output.json > /dev/null
RET=$?
if [ $RET != 0 ]; then
echo "dir json validation failed"
exit $RET
fi
echo "All json validation tests passed jsonlint"
rm -f output.json
This diff is collapsed.
#!/bin/bash
# run a quick test of checksec to ensure normal operations.
./xml-checks.sh || exit 2
./json-checks.sh || exit 2
#!/bin/bash
if [ -f /bin/bash ]; then
test_file="/bin/bash"
elif [ -f /bin/sh ]; then
test_file="/bin/sh"
elif [ -f /bin/ls ]; then
test_file="/bin/ls"
else
echo "could not find valid file to test"
exit 255
fi
#check xml for proc-all
echo "starting proc-all check - xml"
../checksec --format xml --proc-all > output.xml
xmllint --noout output.xml
RET=$?
if [ $RET != 0 ]; then
echo "proc-all xml validation failed"
exit $RET
fi
#check xml for kernel
echo "starting kernel check - xml"
../checksec --format xml --kernel > output.xml
xmllint --noout output.xml
RET=$?
if [ $RET != 0 ]; then
echo "kernel xml validation failed"
exit $RET
fi
#check xml against custom kernel config to trigger all checks
echo "starting custom kernel check - xml"
../checksec --format xml --kernel kernel.config > output.xml
xmllint --noout output.xml
RET=$?
if [ $RET != 0 ]; then
echo "custom kernel xml validation failed"
exit $RET
fi
#check xml for file
echo "starting file check - xml"